My wife and I met via online personals. She was telling me that about 95% of the emails she got were from men with user ID's along the lines of "Bigpenis69" and "Bigstud72" and the like. That's the reason why she even talked to me, because I didn't have a name that was in any way reflecting my supposed virility. I have no trouble believing that most of your sister's replies come from old, creepy dudes.

Also, regarding the "plenty of whales" comment above... it amuses me to no end that many lonely geeks and nerds will judge less attractive women to be not worth asking out, only to turn around and moan and whine when attractive women use the same methods to exclude them from consideration.Q: "Why don't pretty women like me?"A: Because they're just as shallow as you are and judge as much by appearance as you do.

Being pretty or not has little to do with how much weight you choose to carry. I have seen so many lovely women - from the neck up. From the neck down it's a disaster area. If she only weighed 130 instead of 250, she's be perfect.

You call dating based on physical attractiveness shallow... Fair enough. I would counter with the question: Why should I date people who aren't attractive to me? Why is physical attractiveness any less important than emotional attractiveness? I'd agree that it's shallow to date on looks alone... But speaking as someone who has tried having romantic relationships relationships with people he isn't physically attracted to, I can say that it doesn't work any better than a relationship with someone I'

I'm always incredulous at how many people still use PoF despite how bad it is. OKCupid is so much better (still free though), because the questions help you automatically weed out all the icky people you don't want to have anything to do with.

The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.

What "weakness in the hackers' security" are you referring to? The one where they gave them their names because they were trying to disclose a vulnerability? I wasn't aware searching for a name on Facebook was considered hacking now. Silly comment.

The one where they gave them their names because they were trying to disclose a vulnerability?

I find it sillier that they choose to refer to themselves as "security researchers". I mean, if you're going to hack websites and then brag about it to the website to rub their faces in the fact that you defeated their security, go ahead and call yourself a "hacker". Don't try to perfume the turd by pretending that you've got some altruistic motive.

The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.

Disturbing! Finding his Facebook page is quite an impressive hack. Then emailing his mom - wow man - that will definitely scare him off. One hacker down!

You should read the articles linked in the summary - quite an entertaining read. Chris Russo comes off looking like the victim, and the dating site (which appears to be the same to dating sites as blogs are to serious journalism) founder comes off looking like a complete jackass.

On January 18th, after days of countless and unsuccessful attempts, a hacker gained access to Plentyoffish.com database. We are aware from our logs that 345 accounts were successfully exported. Hackers attempted to negotiate with Plentyoffish to âoehireâ them as a security team. If Plentyoffish failed to cooperate, hackers threatened to release hacked accounts to the press.

Specifically, there's a link in the article to Marcus Frind's blog [wordpress.com], in which he claims in the same paragraph that "This was an incredibly well planned and sophisticated attack" and that "It took Chris Russo 2 days to break in; he didn’t even try to hide behind a proxy, signed up under his real name and executed the attacks while logged in as himself." Fortunately, Frind then "closed the breach if indeed there was one."

Now, it's entirely possible- since both of them obviously want to sound as cool as possible- that Chris Russo was hoping to land a security gig with POF, and said some things to suggest urgency and encourage Frind to hire him. But, frankly, Frind, on his own blog, sounds like a disjointed paranoid, talking about how damn clever he is for foiling this wily hacker. Who discovered the plaintext password storage the site uses. If they're both wankers, I'd still give credit to Russo rather than Frind. I use POF myself (with the requisite sense of shame), and the site's asking for password resets because "an argentinian hacker accessed the site." Oh, and here's the brilliant method of getting new passwords; first you enter your email (which an exploiter would already know), then you enter your current password (which the exploiter would know), and your new password. So I guess all the users are pretty much safe!:D

Back when Cheswick and Bellovin were doing the original Bell Labs firewalls, and caught a Dutch teenager trying to hack into their site, the Netherlands didn't have any computer security laws that made it illegal. "So we called his mom...."

I was on the site for a while. It was always slightly clunky, but I'd prefer a free, one-man labor of love to a buy-in site that basically tries to promise sex for money. It was particularly helpful in helping me discover that I wasn't as bad as most of the creeps out there... and conversely, creepiness doesn't belong exclusively to those of the male persuasion. That was good to know -- it helped me realize that I need to be picky. (And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class).

But on the tech side, it irritated the living crap outta me that POF would send me a weekly e-mail with my password IN PLAIN TEXT. Every week, just as a reminder of how easy it would be to log in. Yeah, easy for *anyone* to log in as me and, if I were foolish enough to put important information on POF, to mess with my life. And, of course, if I were foolish enough to use that password for my bank account... well, I think anyone on this site knows the rest.

So I'm not at all surprised that someone found a way to hack POF. Sending a password in plaintext is bad, but not uncommon. Heck, T-Mobile does it. But sending it every week, unsolicited? I'm sorry to be rude, but that's just stupid.

I used POF, and found its interface to be absolute shit. I still get emails from them on a bi-weekly basis, with password still in plaintext (after noticing this the very first time I immediately changed it to something more appropriate to something emailed in plaintext). The guy who runs it makes like $1mil+ a month in ad revenue, so I don't really feel bad about his baby getting hacked when he has the money to hire someone with half a brain.

Agreed. I've used it. And honestly I think online dating is the most efficient way to find someone you're compatible with. You have a list of people answering questions you wouldn't dare to ask them before you see them naked a few times (e.g. what religion are you, do you want to get married and/or just have fun) and you've got a whole list of them. Select your criteria, weed out the fatties and the uglies and email the rest. A couple of them respond, talk to them go on dates with a few and 'viola' - instant girlfriend and/or friend with benefits. It's beautiful. And like you said, most of the competition is just deadbeat dudes. Pretty easy to beat.

But as you also said, it's one dude's project and the interface... well, it kind of shows it. I'm not surprised they're hacked. But honestly, these dating services are generally public anyway, so if these sites are not hacked, they're definitely farmed. The way I look at it... fuck it. I'm looking for titties!

And like you said, most of the competition is just deadbeat dudes. Pretty easy to beat. [...] Select your criteria, weed out the fatties and the uglies and email the rest. [...] The way I look at it... fuck it. I'm looking for titties!

Hmmm...and your definition of a 'deadbeat dude' includes what, exactly?

The competition may be tougher than you think...

(and it's 'voila', not 'viola'. That would be a musical instrument, or a flower.)

You know, I've heard this repeated so many times, but I can't even get a response from girls on dating websites despite not only having a job, but a well paying job. Yes, I'm a nerd, but still. You'd think I could at least get a response... I'm going to go cry into a wad of cash now.

"You know, I've heard this repeated so many times, but I can't even get a response from girls on dating websites despite not only having a job, but a well paying job. "

Hmm....just how many girls on the websites are you approaching? You know, it is really a HUGE numbers game on the internet, maybe even more so than in real life meatspace.

Are you trying to contact 100's or more of women a week?

Make yourself out a basic 'template' of an email to use...with some spaces in there to maybe personalize your message a little bit...maybe to mention one specific thing you read about her (if you bother reading them, and don't go straight from looks). Anyway, use this basic 'canned' email and send it out over and over and over and over and...well, you get the idea. Heck, even send it to chicks you might not even be interested in, just to gage response. If it doesn't work...tweak it a little.

I actually heard some guys did the reverse engineering thing...they created a fictitious account as a chick, with good looking pics and all...just for the sole objective...of seeing what other guys were posting on their profiles, and the types of emails they were sending. Some guys doing this, even would have girls that were just friends, read what they guys were sending, just to see what they thought they as women would respond to.

The researchers used all this to tune their emails to women, and started getting a lot more response (of course, they STILL sent out 100's and 1000s of emails to women, but they were better quality emails.

Go to a goddam stylist, get a very pretty and fashionable female friend (or well dressed gay dude friend, or whatever) to help you pick out a good wardrobe. Seriously. Stylish chicks love a makeover project. It makes them feel like they're the Helpful Pretty Friend in an ugly duckling movie. I've seen a total skid theater tech transformed into a fairly dapper fellow. Unless you already wear outfits worth over $500, you will benefit greatly from a friend making you over. If you are like every other geekass b

I've been on the site, and while I wont go into details about the 'quality' of some of the women I've met, I can tell you for sure that I have zero problem getting the initial contact. On average, I'd say about 5-6 a week come in from my local area, from me doing nothing at all.

Granted, the pool of quality women is JUST as limited as the pool of quality men available to a woman is. But then again, I'm picky.

The creating an account page was broken when I tried the site, the tech support sent abusive mail, so I now regard them as a bunch of juveniles. A dating site that is actually usable has to be their first priority, competent and friendly tech support needs to be their next.

If site can email you your password, it is not just bad. It is sign of fscked up security. The only way of knowing your password is to store it in plain text or in some automatically decypherable form. If site sends you your passwords, you should ask them why password hashes are not used.

I didn't mind the interface. It was nice to see something simple. However, I left when he became more like Facebook in that to read any message you had to supply information such as your income level, occupation, and related matters.

While you could falsify the stuff, the problem came in when it was discovered that when you did a search, your results were based on what was on your profile. So if you said your salary was $100K, then whatever programming was done on the backside would limit your results to

So if you said your salary was $100K, then whatever programming was done on the backside would limit your results to people who had a salary range of $80K - $110K, for example. Someone who made $50K would not be included.

The results would limit to other people who *themselves* made $80-110K, or to people who *wanted someone else* who makes $80-110K?

It would be limited to people who themselves made the range. So, if you made $85K and they made $80K, you would show up in each others search.

If you made $56K and they made $85K, neither would show in the others search.

I don't think there was a way to search for people within a salary range. I don't remember seeing anything like that. However, as I did mention, you could do a wider search from the homepage, when you weren't logged in, which would show you anyone who met your criteria regardless of salary

That's quite strange. I wonder why they do that. I don't think most people are totally uninterested others who are beyond +/- 10% their own salary. That isn't the case for me, at least.

I can tell you OKCupid is an infinitely better site interface-wise and functionality-wise, at least. Better than any other site I've tried. In particular, unlike practically every other dating site, they tell you exactly when people last logged in for free instead of playing games hiding that information to make you think the

So an immature but technically competent jerk cracked you computers and is now trying to get your companies lunch money, metaphorically. Your response is, among other things, to tell his mom.O_oYou know, that sounds about right.

How would a "security researcher" know that a SQL injection bug was being actively exploited if he just uncovered the bug himself?

This sounds a bit odd as using a SQL injection to expose the users' details would require you to deliberately manipulate querystring parameters or form fields. The results will display in your own browser. How would he know whether anyone else were doing this? Was it because he really didn't uncover it himself but found the 30.000 users' details somewhere else?

We only have the site owner's word for the claim that the hacker claimed it was actively exploited.

Does this web site operator really strike you as the most trustworthy of characters?(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)

Take a step back and look at the few things we DO know:- The site employed poor security practices- The site was hacked- The hacker contacted the site owner

Anything beyond this is at this point hearsay.

Conducting unrequested and unauthorised penetration testing is a criminal offence, and that should always be the case. Otherwise you could have too many people who get caught hacking and then just hide behind the excuse that they were just doing some penetration testing and were going to notify the site owners if they found anything.

The reality is that a large number of sites out there have vulnerabilities as not every site can afford to have their site penetration tested on a regular basis. Coders can do t

The reality is that a large number of businesses out there do not have front doors, or keep their doors wide open, as not every business can afford to have their office facilities penetration tested on a regular basis. Maintenance staff can do their best but they are only human, and hence they occasionally make mistakes. It only takes a single mistake made on a Friday afternoon while the office was winding down and you can be vulnerable.

Not every business model can support the profit margins needed to purch

What he says is that this kind of vulnerability is actively exploited by hackers, not necessarily on this particular site. It's not something very specific to the site, but a common technique, so the site is under very high risk.

They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations

I just looked it up online and found no mention of needing different incorporation types for dealing with customers only in Argentina vs. external to Argentina, The highest fee I found online (although I'm sure there are companies willing to charge more) was USD $1760 to form a "Sociedad Anónima" vs. USD $1370 to form a "Sociedad de Responsabilidad Limitada" (sounds like a standard Limited Liability Corporation, but I'm not an Argentine business lawyer so I could be wrong), far short of the $15,000 they are asking for.

The Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.

Really?? You would, assume any notification of a security breach to be fraudulent until proven otherwise? What web site do you operate, so I can be sure never to sign up or give you any personal details.

Why bother with hyphens? plenty.of.fish doesn't use any more characters and is arguably more readable. Yes, it means you have to worry about "fish" being taken, but fish.co is currently listed as available (it's a parked address) so plenty.of.fish.co would be a perfectly good registration. For now.

The main benefit of having it done like this is that whoever owns fish.co can resell names from that without conflicting with their own site. You can't really do the same with offish.com.

Second, it's not cyber-squatting if you're selling a subdomain. I'd regard it as far more ethical and far more in line with the notion of a domain heirarchy to encourage even-handed reselling of subdomains.

Third, why would there be any track of hits? There may be a certain number of hostname lookups (not usually tracked by anyone), but nobody would go through anyone else. All the fish.co owner would be doing is renting a prefix, just the s

Tried Plenty of Fish for a shortwhile - as a default, the service will mail 'new matches' to the email account you registered with every few days. These emails contain a a plain-text version of your password (which essentially reads as "Remember, your password is:XXXX123").

It's not entirely surprising that the site had its security compromised.

No secure site should even have the ability to read your plaintext password from the database, let alone email it to you on a regular basis. The only (potentially) secure password database is the one that's encrypted with a one-way hash.

As a side, when gawker got hacked, they had the one-way hash, and either no salt, or a known/guessable salt. Simple passwords have still been discovered, via a dictionary attack. So, you were right to put (potentially) in there.

Gawker's hash was salted with a random 2-digit string. The salt was known because it is included in the hash (standard behavior -- you need the salt in order to reproduce the hash when the user enters the password). The problem is a salt isn't really a protection against a brute force or dictionary attack on a single one-way hash. A salt is used to prevent you from using the results of your efforts on one hash on another hash. It's a defense against pre-computed rainbow tables (generating every possible has

If this data goes public I am going to email every single effected
user on Plentyoffish your phone number, email address and picture.
And tell them you hacked into their accounts.

Then i'm going to sue you In Canada, US and UK and argintina. I am
going to completely destroy your life, no one is ever going to hire
you for anything again, this isn't piratebay and we definately aren't
fooling around.

Who in their right mind believes anything on plentyoffish.com, match.com, date.com, cupid.com, eharmony.com... All they are optimized to do is to increase the likelihood NOT to find the correct partner so as to get as much free money as possible. Not doing it this way would be an epic loss of opportunity from a business point of view.

As a general rule, cars have been getting more and more reliable every year. They don't make them like they used to, and that's a good thing. Are there still preventable defects in cars? Sure, but they're getting fewer and farther between.

1) Your chances of finding "the one" out of any given sample of human beings, even selecting for particularly "compatible" traits, is very low2) Sites like OkCupid need their customers to find people who are, at the very least, passable by whatever their standards are in order to maintain that customer base3) Nobody has written a matching algorithm so good that, "By golly, we're such good matchmakers, we're putting ourselves out of business!" And if they did, it wouldn't put them out

They've changed all passwords due to the attack (I got a fresh, random one). I have a vague worry that my email address will turn up somewhere I don't want it to, but apart from that there's no other useful personal information on my profile, which, when I come to think of it is kind-of ironic for a dating site:p.

He didn't email the hacker's mother, he emailed the security researcher's mother. Some unknown party hacked his website, and he blames the security researcher that was going out of his way to assist them in closing the vulnerability. After reading the researchers take on this, POF CEO could possibly be facing criminal charges for uttering death threats, harassment and perhaps a civil libel suit.

*Headline taken from : http://www.krebsonsecurity.com/A much easier headline.

Despite the term hacker not defining whether good or bad, instead only indicating circumvention of computer security. It has been used so virally in the media, that it now tends to infer that a malicious hack was carried out. In short the headline "PlentyofFish Hacked Founder Emails Hackers Mom"seems to suggest that the founder of PlentyofFish had found the person who breached his servers and then emailed their mother. However that

There's a gas station by my house that likes to to put the names of people that bounced checks along with all their contact info on a great big billboard for the entire city to see. It's pretty entertaining.

Reading both accounts of the story (one from the CEO, the other from the security expert), it seems to be a case of "who do you believe". All we truly know is that the site was hacked, these guys were involved somehow, and now they're mad at each other. Everything else is just based on what one side or the other says.

That said, looking through the blog postings of the CEO, he strikes me as having the classic case of paranoid narcissist personality disorder. Every other posting is a rant about how his competitors are all out to get him. Everything they do is about HIM and a response to HIS business. When eHarmony does something, it's not just an innocent business expansion, it's a direct personal attack on this guy. I've worked with presidents and CEOs who use similar wording to this CEO in their daily speech, and whose nuances and mannerisms seem to match this guy's perfectly. Although my examples are only anecdotal, I'd be willing to bet this disorder is quite common among business leaders.

Not knowing more about the situation and only having their two accounts to go with, I would probably fall on the side of believing the security expert's account more, just looking at the level of paranoia and exaggeration in the CEO's blogging history.

Markus is a spoiled, rich crybaby. He's made so much money off that hideous site for so many years (and boasted about it for ages on his blog)... you would think he could afford proper security audits and support to close holes.

Basically he's been sitting on his ass technically for nearly the entire time, and now he's pissy because his lack of attention bit him.

And for the record, OkCupid.com is so immeasurably better than PoF in every way, it's time for the old whale to die.